Setup roundcube webmail as a proxy for Gmail

Recently, I was asked to find a solution or workaround for people using Gmail and are visiting countries where there’s limited or no access to Gmail. I’m not talking about bad internet connection quality but about an explicit (government) block on Gmail or related websites. An example is the block on Gmail by the Chinese Great Firewall. While there is a possibility to avoid the limitation by using a normal proxy or VPN connection, those methods are also actively blocked and monitored. A workaround is to setup your own webmail, as a proxy for Gmail.

While the number of countries that are actually blocking Gmail on purpose is very limited, it still can be quite annoying to not have access to your email while you’re there. Especially when you’re doing business in one of those countries. More information about internet censorship by country can be found here: http://en.wikipedia.org/wiki/Internet_censorship_and_surveillance_by_country

Besides allowing access to Gmail from such countries, there can be other useful reasons to proxy your mail via your own webmail. For example if you want to use another port to access mail or you want to use your own certificates for security on the front end.

For this post, I will use CentOS 7 in combination with Apache, PHP, MySQL and Roundcube to setup our own webmail.

Setup the base LAMP server

Let’s start with setting up the base of our webmail-server and by installing the LAMP-stack (Linux, Apache, MySQL (or MariaDB), PHP) on top of a minimal CentOS 7.

First, let’s install all necessary packages for LAMP:

Configure MariaDB

After installing, we need to start MariaDB and finish the MariaDB installation:

Configure Apache

After getting MariaDB up and running, it’s time to configure Apache. Since we’ll access our emails over the internet, it’s a good idea to setup Apache with SSL. Although this step is theoretically optional, it prevents leaking your data and username/password in plain-text. Especially when you want to avoid government restrictions, you want to mask at least superficially what you’re doing.

To use SSL, we first need to generate a private key and certificate. For this post, I’ll just generate a self-signed certificate but you can use a real or wildcard certificate, from a known CA for a production setup.

Generate a new private key:

Generate a certificate signing request using the key:

Make sure that you fill in relevant information for your setup in the above example.

Sign the CSR and create a self-signed certificate:

After generating the key and certificate, we need to place them in the correct location:

Now we can configure Apache to use them and offer SSL:

Edit the following lines in /etc/httpd/conf.d/ssl.conf:

Enable and start Apache:

Open TCP port 443 on the firewall to allow access to our SSL website:

Test Apache and the SSL-setup by browsing to your webserver (in my example: https://rcmail.test/):

rcmail_test

As you can see, you will still get a certificate warning because the certificate isn’t issued by a trusted, public CA. This doesn’t mean that communication between the client and server isn’t encrypted and that’s what we need.

Install and configure Roundcube for webmail

After configuring the prerequisites, it’s time to setup Rouncube for webmail on the server.

Let’s start by downloading Roundcube and to extract it:

The extracted files need to end up in the webroot of Apache. This can be directly in the root or in a subfolder. Since the only purpose of this testserver will be Roundcube, I decided to put everything directly in the root:

Roundcube needs write access for the logs and temp directory. By default, this is prohibited by SELinux, so we explicitly need to allow that:

Once all files are in place, we need to create a database and user for Roundcube:

After creating the DB and user, let’s populate the database with the initial tables:

At this moment, you could configure Roundcube by using the wizard. To do so, you would need to point your browser to https://<your hostname or ip>/installer/

Another option is to create the configuration manually, which I will do for this post.

The configuration contains a DES-key for encryption. Let’s first generate a DES-key of 24 characters to use in the configuration:

If you want to, you can first copy the sample configuration file and edit that, since it’s annotated:

Edit the file in /www/html/config/config.inc.php and make sure it contains the following:

The last step before we can start using Roundcube as a Gmail-proxy, is to tell SELinux that Apache is allowed to connect to Gmail on non-standard ports (which we configured in the configuration file for Roundcube):

Test your Gmail proxy

At this point, everything should be ready to login to Roundcube and access your Gmail-inbox trough the Roundcube webmail interface.

Connect with your browser to https://<your hostname or ip> (for my example: https://rcmail.test):

rcmail_login

Login with your Gmail-credentials (since we told that the default domain is @gmail.com, there’s no need to enter this information, unless you use a Gmail account for another domain).

If all goes well, you should see your inbox, folder and be able to access your mail:

rcmail_inbox

Troubleshooting

In case you get a message saying: “Login Failed”, you can have a look in /var/www/html/logs/errors. In my case, Google didn’t allow me to connect to my account from within another application.

The message was:

To allow Roundcube to access your mail, point your browser to https://www.google.com/settings/u/1/security/lesssecureapps and allow less secure access:

rcmail_gmail

When I created a new account, I didn’t receive the warning/error so most probably it’s something I caused myself.

One thought on “Setup roundcube webmail as a proxy for Gmail

Leave a Reply

Your email address will not be published. Required fields are marked *